cve/published/2025/CVE-2025-21781.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21781: batman-adv: fix panic during interface removal

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 batman-adv: fix panic during interface removal

 Reference counting is used to ensure that
 batadv_hardif_neigh_node and batadv_hard_iface
 are not freed before/during
 batadv_v_elp_throughput_metric_update work is
 finished.

 But there isn't a guarantee that the hard if will
 remain associated with a soft interface up until
 the work is finished.

 This fixes a crash triggered by reboot that looks
 like this:

 Call trace:
  batadv_v_mesh_free+0xd0/0x4dc [batman_adv]
  batadv_v_elp_throughput_metric_update+0x1c/0xa4
  process_one_work+0x178/0x398
  worker_thread+0x2e8/0x4d0
  kthread+0xd8/0xdc
  ret_from_fork+0x10/0x20

 (the batadv_v_mesh_free call is misleading,
 and does not actually happen)

 I was able to make the issue happen more reliably
 by changing hardif_neigh->bat_v.metric_work work
 to be delayed work. This allowed me to track down
 and confirm the fix.

 [sven@narfation.org: prevent entering batadv_v_elp_get_throughput without
  soft_iface]

 The Linux kernel CVE team has assigned CVE-2025-21781 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 5.4.291 with commit 167422a07096a6006599067c8b55884064fa0b72
 	Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 5.10.235 with commit ce3f1545bf8fa28bd05ec113679e8e6cd23af577
 	Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 5.15.179 with commit f0a16c6c79768180333f3e41ce63f32730e3c3af
 	Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 6.1.129 with commit 7eb5dd201695645af071592a50026eb780081a72
 	Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 6.6.79 with commit 072b2787321903287a126c148e8db87dd7ef96fe
 	Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 6.12.16 with commit 2c3fb7df4cc6d043f70d4a8a10f8b915bbfb75e7
 	Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 6.13.4 with commit 522b1596ea19e327853804da2de60aeb9c5d6f42
 	Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 6.14 with commit ccb7276a6d26d6f8416e315b43b45e15ee7f29e2

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21781
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/batman-adv/bat_v_elp.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/167422a07096a6006599067c8b55884064fa0b72
 	https://git.kernel.org/stable/c/ce3f1545bf8fa28bd05ec113679e8e6cd23af577
 	https://git.kernel.org/stable/c/f0a16c6c79768180333f3e41ce63f32730e3c3af
 	https://git.kernel.org/stable/c/7eb5dd201695645af071592a50026eb780081a72
 	https://git.kernel.org/stable/c/072b2787321903287a126c148e8db87dd7ef96fe
 	https://git.kernel.org/stable/c/2c3fb7df4cc6d043f70d4a8a10f8b915bbfb75e7
 	https://git.kernel.org/stable/c/522b1596ea19e327853804da2de60aeb9c5d6f42
 	https://git.kernel.org/stable/c/ccb7276a6d26d6f8416e315b43b45e15ee7f29e2
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21781: batman-adv: fix panic during interface removal

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	batman-adv: fix panic during interface removal

	Reference counting is used to ensure that
	batadv_hardif_neigh_node and batadv_hard_iface
	are not freed before/during
	batadv_v_elp_throughput_metric_update work is
	finished.

	But there isn't a guarantee that the hard if will
	remain associated with a soft interface up until
	the work is finished.

	This fixes a crash triggered by reboot that looks
	like this:

	Call trace:
	batadv_v_mesh_free+0xd0/0x4dc [batman_adv]
	batadv_v_elp_throughput_metric_update+0x1c/0xa4
	process_one_work+0x178/0x398
	worker_thread+0x2e8/0x4d0
	kthread+0xd8/0xdc
	ret_from_fork+0x10/0x20

	(the batadv_v_mesh_free call is misleading,
	and does not actually happen)

	I was able to make the issue happen more reliably
	by changing hardif_neigh->bat_v.metric_work work
	to be delayed work. This allowed me to track down
	and confirm the fix.

	[sven@narfation.org: prevent entering batadv_v_elp_get_throughput without
	soft_iface]

	The Linux kernel CVE team has assigned CVE-2025-21781 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 5.4.291 with commit 167422a07096a6006599067c8b55884064fa0b72
	Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 5.10.235 with commit ce3f1545bf8fa28bd05ec113679e8e6cd23af577
	Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 5.15.179 with commit f0a16c6c79768180333f3e41ce63f32730e3c3af
	Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 6.1.129 with commit 7eb5dd201695645af071592a50026eb780081a72
	Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 6.6.79 with commit 072b2787321903287a126c148e8db87dd7ef96fe
	Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 6.12.16 with commit 2c3fb7df4cc6d043f70d4a8a10f8b915bbfb75e7
	Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 6.13.4 with commit 522b1596ea19e327853804da2de60aeb9c5d6f42
	Issue introduced in 4.6 with commit c833484e5f3872a38fe232c663586069d5ad9645 and fixed in 6.14 with commit ccb7276a6d26d6f8416e315b43b45e15ee7f29e2

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21781
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/batman-adv/bat_v_elp.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/167422a07096a6006599067c8b55884064fa0b72
	https://git.kernel.org/stable/c/ce3f1545bf8fa28bd05ec113679e8e6cd23af577
	https://git.kernel.org/stable/c/f0a16c6c79768180333f3e41ce63f32730e3c3af
	https://git.kernel.org/stable/c/7eb5dd201695645af071592a50026eb780081a72
	https://git.kernel.org/stable/c/072b2787321903287a126c148e8db87dd7ef96fe
	https://git.kernel.org/stable/c/2c3fb7df4cc6d043f70d4a8a10f8b915bbfb75e7
	https://git.kernel.org/stable/c/522b1596ea19e327853804da2de60aeb9c5d6f42
	https://git.kernel.org/stable/c/ccb7276a6d26d6f8416e315b43b45e15ee7f29e2